New Trojan Horse Targets Macs

Mac-based security software company, Intego, is warning that a Trojan horse targeting Macs is actively out in the wild and that at least 20,000 users have already downloaded (although not necessarily installed) infected software. The Trojan horse has the name OSX.Trojan.iServices.A and it is piggybacking on pirated copies of Apple's new iWork '09, which users are downloading via BitTorrent.

The Mac OS, which is at least partially based on BSD UNIX, is typically regarded as a relatively safe haven from malware. Not that the Mac OS hasn't seen its share of malware, but nothing that even comes remotely close to the sheer volume of malware that has targeted Windows PCs. Part of this is a result of Windows' near hegemony of the world's installed operating systems--with such a large installed base, it is a natural target. The Mac, with a much smaller share of the market--currently estimated to be about 10 percent in the U.S.--has been a less tempting target for malware writers. Some would also argue that the Mac OS is an inherently safer OS, less prone to potential malware attacks than Windows. But with the increased market share Macs have had recently, as well as the ever-increasing sophistication of malware attacks, it is likely just a matter of time before malware attacks on Mac systems become more commonplace.

Online sources of "questionable" material, such as pornography and pirated software, have long been primary sources of malware (although, by no means the only sources); and this holds true for the current Mac OS malware attack. It turns out that while the pirated copies of iWork '09 are in fact "complete and functional," they also include an added installer package, iWorkServices.pkg. When a user installs the infected copy of iWork '09, the user is asked to provide an administrator password, which is not an uncommon occurrence for some Mac OS application installation routines. Once the password is entered, iWorkServices.pkg gets "installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root." Root-level access, also often referred to as superuser, essentially means that the user or application has all permissions to all of the files on a system.

Once the malware is successfully installed, it connects to a remote server, giving the malware creator the ability to remotely access the infected Mac. While this opens the door for potential malicious activity, such as stealing personal information and data, there are no reports yet of any of the "extremely serious consequences" that Intego warns of. Intego also reports that its VirusBarrier X4 and X5 software with the latest virus definitions protect against this Trojan horse.

As to whether this means that Mac users are now regularly in the crosshairs of malware writers is widely open to debate. If this Trojan horse that's been downloaded over 20,000 times was targeted at Windows users, this would hardy be considered newsworthy. But since this Trojan is targeting an OS that seldom is targeted, it is notable event. This doesn't necessarily mean that Mac users should run out, purchase, and install security software today; but by the same token, Ben Franklin's advice that an ounce of prevention is worth a pound of cure, is something worth considering. Just because today's malware attack only impacted users who downloaded pirated software, doesn't mean that tomorrow's malware attack couldn't have a far more benign delivery mechanism.